-
Notifications
You must be signed in to change notification settings - Fork 697
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default to running Elasticsearch as ReadOnlyRootFilesystem: true
#6688
Conversation
Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
Add constants for Elasticsearch volume name, and mount path for temporary volume Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
…lesystem. Signed-off-by: Michael Montgomery <mmontg1@gmail.com>
buildkite test this -f p=gke,s=8.7.0,s=7.17.8 |
buildkite test this -f p=gke,t=TestVolumeEmptyDir -m s=8.7.0,s=7.17.8 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resolves #6126
nit: I think this change is a good thing, but unless I'm missing something it does not solve #6126. The requirement is to be able to run the whole Pod
with readOnlyRootFilesystem: true
, which is for now not possible for the init container elastic-internal-init-filesystem
(this is something I missed during my initial review of the issue).
I'm also wondering if it would be a good thing to include other security settings like:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
Thanks for the heads up about wanting to run the whole pod as read-only @barkbay .
So I was reviewing this and am curious about the history of the approach we take. From what I see happening in this init container that would violate having it mounted as read-only are these copy operations:
Why are we not simply mounting these keys as files from the secret/cm into this location? For example (untested atm):
|
Also note that
|
So the solution to one of the 2 issues (that we know of) is having a separate secret for each of these files that are needed to be propagated into the config directory and cannot be renamed or pointed to a different file in the As for the issue of the configuration directory we can adjust this via
How would you feel about this proposal @barkbay :
|
Just jumping in here (hope you don't mind). That would be awesome. Currently we are enforcing our namespaces to have a restricted pod security standard. However, this operator breaks under this enforcement without the above. |
Unfortunately
But maybe this is something we can discuss with the Elasticsearch team. |
I'll discuss with the Elasticsearch team and see what can be done. Thanks |
@barkbay elastic/elasticsearch#95390 opened against Elasticsearch for this change after speaking with this and seeing no reason to not make this change. |
And the PR was already merged so we can enable and test these against 8.8-SNAPSHOT when it becomes available. How would you feel about the above proposal @barkbay against 8.8+ only? |
Superseeded by #6703. |
Primary Change
This enables running Elasticsearch with
readOnlyRootFilesystem: true
as this aligns with security best practices.Todo
related #6126